Block Purchase Pipeline Third arty Insurance Administrator of 塊購買管道第三方保險管理員

1、data security:a roadmapdodi iverson, executive vice presidentdriasirichard bellanca, senior vice presidentbank of america corporationbank of americaover 38 million consumer & small business relationshipsover 5,800 retail banking officesover 16,700 atmsover 14.7 million active online usersno. 1 o

2、verall small business administration lender in the usbank of america corporation stock (ticker: bac) is listed on the new york stock exchangehigher standardsinsurance services groupline of business within global consumer & small business bankingproducts include:qcredit protection productsqloan p

3、rotection productsqterm life insuranceqaccidental death & disabilityqhealth savings accountsqlong term care insuranceqhomeowners and auto insurancedriasioutsourcing solution for insurance and non-insurance productscarrier and product independentservice 250+ financial institutions and 50+ insuran

4、ce companiescore focus administrationend to end or modular solutionsretention and process optimizationsas 70 type iioperational excellence driven by security, innovation and reliabilitydata can only be shared internally on a need to know basis. examples include consumer information such as date of b

5、irth, marital status, social security number, health claims.information intended for internal distribution only. examples include organizational charts, inter-office mail, unreleased pilot offerings.information obtained from or intended for public disclosure. examples include marketing brochures, pr

6、ess releases, annual reports.terms & overviewdata vs. informationconfidential data proprietary datapublic dataencryption068567839068-56-7839transmitted data is coded, making it unintelligible if intercepted by a 3rd party. only the sender and the recipient have the “key” to unlock the code. secu

7、rity breachescommunications company robbed of employee datain efforts to recycle used paper, company exposes confidential customer datalaptop stolen, grad students info exposedid verification service provider sends personal, financial info to con artistsun-encrypted data with 20 years of employee da

8、ta vanishes while in transportbehavior& valuemanagementawareness &responsibilityriskassessmentsecurity design& managementexecutionkeycomponentsdata security roadmapmethods of the tradesystem hackingcodes/scamsphysical negligencestolen equipmentdisgruntled employeesidentity theft categori

9、espersonal identifiable theft:qexamples: social security number, online banking log-in/passwordqtheft is beyond a single accountqthief has ability to create additional accountsqloss potential is greaterqcriminal may wait in excess of 15 months before strikingaccount theft:qexample: credit card is st

10、olenqtheft is typically limited to a single accountqshort-term window for thiefroot causes for identity theftprevalence of ssn as a unique identifierinformation security not equal among organizationsmore information about individuals stored on central databasespersonal securityexpansion of electroni

11、c fraudkey customer data customer data that can be used against you:qchecking or credit card account numbersqsocial security numberqdrivers license numberqatm cardqdate of birthqhome addressqphone numberqcredit reportsqpasswordscommon security concernscyber threats rank higher than physical breaches

12、73% felt domestic suppliers posed less riskbuyers dont believe security claims of suppliers and are conducting their own audits 30% factoriso 17799 iso 27001sas 70 type iisource: booz allen hamilton study, june 2006data security a supplier differentiatorthennowassessing data security riskfailure mod

13、es & effects analysisexpense vs. security achieveddollarssecurity achieved100%securitydollar amount losses by typesource: csi/fbi 2005 computer crime and security survey; computer security institutesecurity technologies usedsource: csi/fbi 2005 computer crime and security survey; computer securi

14、ty institutedata stewarddata stewards ensure that a critical asset, customer and account data, is received, verified and delivered to all appropriate information users in an accessible, consistent and timely manner.data exchange process mapparticipants: 3rd party vendor (bus) 3rd party vendor (tech)

15、 bac product manager bac information mgrpurpose: introductory meeting high level overview of the data exchange processparticipants: 3rd party vendor (bus) 3rd party vendor (tech) bac information mgrpurpose: # of files file layouts frequency contacts exchange protocols quality assurance requirements

16、slaparticipants: bac information mgrpurpose: register data exchange in the central repositoryparticipants: bac dts 3rd party vendor (tech)purpose: bac dts provides email with instructions for data exchange processparticipants: bac dts 3rd party vendor (tech)purpose: exchange ip addresses exchange pa

17、sswords notification procedures automate scripts, if necessaryparticipants: bac information manager 3rd party vendor (bus) 3rd party vendor (tech)purpose: review field definitions determine valid values that vendor will provide answer additional questionsparticipants: bac information manager bac - d

18、ts 3rd party vendor (tech)purpose: test end to end file submission, connectivity testparticipants: bac information manager bac - dts 3rd party vendor (tech) 3rd party vendor (bus)purpose: file receipt and load continual feedback on new valid values or data anomaliesdata management environmentmitigat

19、ing thefttechnical infrastructureqmulti-tier architectureqmulti-factor authenticationqcontinuous server monitoringqaccess controlsbusiness processesqemployee trainingqpolicy enforcementqno confidential data on hard driveqcross shreddingqaccess controlstechnical toolsqencryptionqanti-virus/spywareqel

20、ectronic transmissions (secure sockets layer (ssl), ftp/pgp, ndm)infrastructure categoriesproduction contact routines/calendarroles & responsibilitieschange controladding new sourcesqualityquality assurance practicesmetadata managementdefect resolution processgovernance the data councildownstrea

21、m slasource data provider slauser access/standardscommunicationscommunication plandata steward programcorporate partnershipssampledo notuse your name in any formuse a word contained in dictionaries, or standard word listsuse other information easily obtained about you write a password down or store

22、it online reveal a password to anyoneuse shared accountspassword best practicesdouse a password with mixed-case lettersuse a password that contains alphanumeric characters and punctuationuse a password that can be typed quicklychange passwords regularly blak4bord2l8againseeeshorrabf&r2ocinformat

23、ion exchangeall data exchanges must be submitted via encrypted electronic transmission. never submit customer or account data via tape, cd, disks, etc.any email communication that contains confidential information must be encrypted.data exchanges between vendors that contain bac customer data must adhere to same standards as exchanging with bac.never store customer or other sensitive banking data on computer/laptop hard drives.governance elementsmajor deliverables: service level agreements source providers service level agreements information users user access request forms